After the hack and leak of the affair-prompting dating site, there’s been another dump of information from The Impact Group. This time, internal emails were included, and it looks like Ashley Madison discussed hacking a competitor.
According to the leak, emails show that in 2012, AM’s chief technology officer Raja Bhatia, emailed chief executive Noel Biderman after looking at the security of the new dating section magazine Nerve.com – a publication that looks at sex and relationships and all that. There, Bhatia found some security flaws.
“They did a very lousy job building their platform. I got their entire user base,” said Bhatia. “Also, I can turn any non-paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.” Included was a link to a Github archive, with a sample of the database.
However, Ashley Madison say that these messages are being taken out of context. They say that this discovery was part of “due diligence” which was undertaken in the run-up to a proposed partnership between the two. Six months after this conversation, Bhatia emailed Biderman to see if he should “tell them of their security hole”, to which Biderman didn’t reply.
In a statement, AM’s parent company Avid Life Media said the emails were “taken out of context” and that the interpretation that Bhatia had hacked Nerve was “incorrect and unfortunate”. It continued: “Nerve was exploring strategic partnerships in May of 2012 and reached out to Noel to determine Avid Life Media’s interest in the property. At the time Noel did not act on that opportunity.”
“In September PTC Advisors, representing Nerve, contacted Noel and provided a more detailed brief on the opportunity. This communique was followed by a number of conversations. Subsequently Noel contacted Raja Bhatia and asked for his assistance in conducting technical due diligence on the opportunity. This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm.”
“At no point was there an effort made to hack, steal or use Nerve.com’s proprietary data.”
While this is all well and good, Ashley Madison have been incredibly slow and unforthcoming about this whole affair (pardon the pun). It certainly seems that this mess isn’t going away any time soon.
They now want to access more information on your mobile, specifically with sensors so they know whether you’re running, standing still or walking. That doesn’t seem like to much bother does it? Well, they also want your GPS co-ordinates too. And access to your photos and contacts.
They say that they will share that information with ‘partners’, which means that Spotify could now be telling people about where you are and, oddly, how quickly you’re getting there.
Whether you’re on the freemium model, or you’re a subscriber, this update applies to both.
The agreement says: “Depending on the type of device that you use to interact with the service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth).”
“We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).”
Now, you might not be bothered by this, but there’s some people who are already miffed about the whole thing. Over on various social networks, some have asked if Spotify are ‘crossing the line?’, while others are saying they want to quit the service. This is bad timing for the music streaming service, as they’ve never had so much competition for people to jump to.
Whether the competition is any better, remains to be seen.
A Spotify spokesperson said that they rolled out the new policy to be “as open and transparent as possible when it comes to how we describe our business, how we work with advertisers, what information we collect, and what we do with it”.
Spotify has issued an apology and an explainer.
CEO Daniel Ek says: ”We should have done a better job in communicating what these policies mean and how any information you choose to share will – and will not – be used.”
So, they’re saying that you don’t have to let them access all your data, because the ask you for permission first. And they won’t share any of that info without ‘de-identifying’ it first.
Spotify want you to know that these permissions can be revoked whenever you want… although, seeing as you have to agree to their t&cs on Android, or you can’t download the app, and you can’t customise your permissions in the settings, it isn’t clear what they actually mean by this.
Hackers have got all up in the face of Mumsnet, with armed police being dispatched to the house of the founder of the site. While that is frankly bizarre, what does it mean for the most of you who use the site? Well, a DDoS attack took the site offline, and all users should change their passwords asap.
Founder, Justine Roberts, said Mumsnet was the victim of a cyber attack from someone called ‘DadSecurity’ on Twitter. User information on the site has been accessed, and here’s all you need to know.
Reset your password and, if you use the same password for other sites, it’d be wise to update those too. Hackers have edited some posts from user accounts, so this is a pressing concern. Stolen passwords have been posted online.
Mumsnet have reset all passwords, so you’ll have to do this anyway, but if you’ve missed all this news, it’d be worth getting your finger out.
Mumsnet have said: “We take great care to protect the information users give us, and don’t ask for, or store, any more information than we need to run the site. All passwords are encrypted, so that no one – not even us – can see them. We think, therefore, that this has been done via a form of phishing, whereby the hacker creates a fake Mumsnet login page that looks just like the usual page, but with a slightly different URL. The hacker would have been able to see passwords in plain text when they were typed in.”
“Any passwords the hacker has been able to harvest up to this point will now be useless. However, if phishing was the cause, the Mumsnet login page could be phished again – so it’s really important to check the URL when you enter your details, or use your social login (ie via Facebook/Google), which doesn’t require a password.”
“If the URL begins with anything other than https://www.mumsnet.com/session/login, don’t use it. Note the ‘S’ in ‘https://’.”
Roughly 3,000 usernames and passwords have been posted online, but that figure could shoot up at any time. Mumsnet don’t know how much information has been obtained and the hackers could be posting them in batches.
Mumsnet has a live update going on here.
We told you about the Ashley Madison hack, where the details of loads of people were going to be dumped online. Well, it has finally happened, exposing loads of people’s naked photos, sexual preferences, private chats and of course, potentially alerting people to the fact that their partners have been having extra-marital affairs.
The Impact Team, who are behind all this, have a point to prove. They didn’t like the fact that Ashley Madison charged people to delete users’ accounts, so, to stick it to the man… they’ve… uh… taken it out on the customers. Whether or not you agree with the site, it is peculiar that the hack stands to hurt users more than the people who ran the site.
Here’s The Impact Team’s words on the matter.
Anyway, Avid Life Media (ALM), who run Ashley Madison as well as Cougar Life and Established Men, is now looking into the claim that the hack is online.
In a statement ALM said: “Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.”
Of course, this information is available on the Dark Web, which you can’t get to with normal search engines. That being the case, unless your partner is a dab hand at getting access to the underbelly of the internet, you’re probably alright. Unless you’re a celebrity or politician. In which case, you’re probably doomed.
ALM want justice for this: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.”
“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.”
“We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully co-operate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.”
Of course, there’s already rumours that there are hundreds of government email addresses in the leaked database. Of course, that’s not to say anyone who signed-up even used the site or, indeed, went through with doing anything once signed up. Either way, this whole thing could devastate some lives.
People can get very jumpy about how private their browsing habits are, and most browsers are walking the tightrope of pleasing their board who want all the money that comes from tracking you, and not completely angering users.
With Apple and Google jostling for the top spot, former favourite Firefox, from Mozilla, is looking at ways of getting people back on their team, by making private browsing truly private.
Mozilla are testing out enhancements to private browsing in Firefox, designed to block website elements that could be employed by third parties to track your behaviour across sites. While most browsers have an option called ‘Do Not Track’ or similar, they don’t really mean it and you end up getting tracked all the same.
This tool will block things like analytics firms and ad networks, and stop them from keeping tabs on your cookies and the like. It is available from the Firefox Developer Edition on Windows, Mac and Linux, and Firefox Aurora on Android, Mozilla and you can find out more about it here.
It is not even reached Beta mode yet, so don’t expect too much.
“We’ve worked with developers and created a process that attempts to verify that add-ons installed in Firefox meet the guidelines and criteria we’ve developed to ensure they’re safer for you,” Mozilla said.
Microsoft are under fire over something in Windows 10, that looks like it would allow them to look around your computer looking for illegally downloaded software and media, where they have the opportunity to delete it.
This is troubling news, if not unsurprising.
Here’s the skinny: a paragraph in Microsoft’s terms and conditions has been found which appears to give the software company the ability to stop people from using things that weren’t legally sourced. There’s already privacy concerns with Microsoft’s newest OS, and this is something that is equally troubling.
The t&cs says: ”We may automatically check your version of the software and download software updates or configuration changes, including those that prevent you from accessing the services, playing counterfeit games, or using unauthorized hardware peripheral devices.”
Of course, that paragraph is on the vague side, but it doesn’t look good from the off and Microsoft could do with providing some clarity on this, or else feel the wrath of a load of very angry IT-types.
Naturally, the gaming and entertainment industries will welcome this move, as piracy has becoming a massive issue for them in recent years. That means Microsoft will have to walk the tightrope of pleasing companies and pleasing those that they want as customers.
They’ll win no friends if people start having their virtual sanctum messed around with.
You need to install updates on your browser at once, because there’s an exploit in it that wants to steal your data and has been turning up on websites and causing havoc.
Right away, go to Help, then hit ‘About Firefox’, then press the ‘Check for Updates’ button, to ensure you’ve got the latest version of the browser.
In a blog, Mozilla say the exploit makes use of a weakness in Firefox’s PDF viewer. The bug basically gets into your Windows computer and searches through your files looking for passwords from a host of popular FTP apps, as well as any text files with ‘pass’ or ‘access’ in the name. It will then, you suspect, send all that information to people who you really don’t want to be having that sort of information.
Even if you’re on a Mac and using Firefox, it’d be a good idea to do an update, as there’s no good reason why the baddies aren’t going after you too. So hurry up. Update your Firefox. Do it now!
It won’t surprise you that, in 2015, there’s a tech company after all your personal data. However, it is still worth talking about, especially if you’re one of the millions who has downloaded the new Windows 10 update from Microsoft.
Microsoft updated their privacy statement in a bid to explain what they’re doing with your data, and what they are collecting while your computer runs Windows 10.
They’ve said that they’re saving your search information from Bing (does anyone actually use Bing?), as well as content from your private emails and what apps you use. They are also storing information about “your typed and handwritten words”, which is sinister.
Microsoft will also store your voice through the spoken commands given to Cortana. This is all to ‘customise’ your experience, which is something we’ve heard from a lot of companies. You’ll no doubt be aware that Google go through your emails to get keywords for targeted adverts, while Apple’s Siri and Google Now collect data to personalise responses.
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services,” says Microsoft in the new terms of services agreement.
“Windows does not collect personal information without your consent. To effectively provide Windows as a service, Microsoft gathers some performance, diagnostic and usage information that helps keep Windows and apps running properly. Microsoft uses this information to identify problems and develop fixes.”
“However, we do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you,” the privacy statement reads.
So, you might want to adjust your privacy settings, right?
Well, you can, by going to Settings, then Privacy and messing around with your options in there. If you want, you can opt out of personalised ads if you go to this page from Microsoft. You don’t need to be on Windows 10 to opt out of the latter.
There’s an internet campaign group (no, wait! Come back!) called iRights (they’re not making it easy for us) who want people under the age of 18 to be able to delete things from their social media profiles, that might end up being damaging to them in later in life.
Basically, if you were a gobshite when you were 14 and something you did online stopped you from getting a job, you’d be peeved. Of course, you might be a 37 year old gobshite who shouts at women for spurious reasons, in which case, there’s nothing Bitterwallet can do for you.
The organisation has already gained the support of politicians, corporations and even some young people themselves, who dragged themselves away from looking at their spots in a mirror for 10 minutes.
iRights has come up with five key things that they’d like to see, to provide better protection online for youngsters. They include that social media content should be easy to delete (which it pretty much is already, unless someone screengrabs it) and that young people should have the right to know who is holding information on them and what it is likely to be used for.
Regarding the latter, the campaign group would like to see terms and conditions that would effect young people, written in such a way that “typical minors can understand them.”
“Children and young people are often presented as digital natives – with fast thumbs able to summon up the knowledge of the world in an instant, build a million dollar company from their bedroom, or topple a corrupt regime with a tweet,” iRights said. “Yet the latest research shows that far from being at the forefront of the digital revolution, many young people remain on the lower ‘rungs’ of digital understanding. They lack the skills and knowledge necessary to benefit from the immense opportunities on offer as they move between spaces that are heavily limited and others where ‘anything goes.’”
You can check what they’re all about, here
Ashley Madison, the site that allows you to have an affair (hey, who are we to judge – get yours and hurt no-one, okay?) was, as you know, hacked.
That meant that ne’er-do-wells made off with loads of sensitive information and threatened to dump the whole load on the internet, if Ashley Madison didn’t erase itself completely.
Well, the extracurricular dating site has again apologised, saying that they are now offering users the chance to fully delete their account, free of charge. This is only a temporary move though, and one that won’t impress The Impact Team, the people behind the hack.
The hackers were cheesed off with the site, thanks to the paid-delete activity. In the UK, it costs you £15 to fully delete yourself from Ashley Madison’s systems, which seems wildly unfair. The Impact Team said that, even after paying for deletion, the site doesn’t actually get rid of all your information.
In a statement, Ashley Madison hit back at this claim, saying: “Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity.”
“The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.”
Still. Get that. Having to pay to get your information out of their hands. That could very well put off a lot of people from using the dating site in the future.
And, in a Locking The Stable Door After The Horse Has Bolted move, AM is saying they’ll delete your information, even though The Impact Team already have your information in their possession. Ashley Madison are unwise to be so cavalier in attitude about this, as their customers will have no doubt entrusted them with a lot of VERY sensitive info, such as mucky photos, their sexual wants and all manner of romantic activities.
The extramarital dating site has the tagline: “Life is short – Have an affair” and apparently has around 37 million members. It was hacked by a bunch of people calling themselves the Impact Team, and they also got stuck into another pair of sites owned by the same company – Cougar Life and Established Men.
The hackers say that they’ve got complete access to the databases, including financial records and all manner of stuff. For now, Impact Team have released 40MB of data, including credit card details, and are hanging onto the rest for, you can only assume, a special occasion.
And why is this happening? Well, you might think that these hackers don’t like people having affairs. When they released the initial batch of data, they also put out a manifesto, saying that the rest of the info will be leaked if Ashley Madison and Established Men aren’t permanently closed.
It says: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
The thing that sticks in the craw of the hackers, is that Ashley Madison charges users £15 to carry out a “full delete” of information, should they decide to leave the site.
They add: “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Avid Life Media think they know who is behind the hack, and Noel Biderman said: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication.” He added: “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
Is ‘touched our technical services’ a euphemism or something?
Meanwhile, parent company ALM said: “We apologise for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
“At this time, we have been able to secure our sites, and close the unauthorised access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
You might think selfies are the worst thing that ever happened to the world, or indeed, may well think that they’re a marvellous show of self confidence in people. Either way, Mastercard see something different – they want to start using selfies to verify payments.
They’re only testing this at the moment, with 500 pilot users using photos instead of punching in PIN numbers. MasterCard’s chief product security officer Ajay Bhalla says this will be popular with young people. Presumably, young people who aren’t bothered about banks potentially storing photos of their faces.
Bhalla said: ”The new generation, which is into selfies… I think they’ll find it cool. They’ll embrace it. This seamlessly integrates biometrics into the overall payment experience. You can choose to use your fingerprint or your face – you tap it, the transaction is okayed and you’re done.”
So, what you might be able to do in the future, is hold your phones at eye-level and blink once when instructed, and boom boom, the process is complete.
Bhalla says that people’s selfies won’t be stored or transmitted, in its normal construction. However, we’ve all heard that before haven’t we?